Enable the -XX:[+|-]CRIUSecProvider jvm option

jcl/src/java.base/share/classes/openj9/internal/criu/InternalCRIUSupport.java

@@ -25,17 +25,15 @@
 /**
  * Internal CRIU Support API
  */
-/*[IF JAVA_SPEC_VERSION >= 17]*/
-@SuppressWarnings({ "deprecation", "removal" })
-/*[ENDIF] JAVA_SPEC_VERSION >= 17 */
 public final class InternalCRIUSupport {
 	private static final boolean criuSupportEnabled = isCRIUSupportEnabledImpl();
 	private static long checkpointRestoreNanoTimeDelta;
 
-	private static native boolean isCRIUSupportEnabledImpl();
-	private static native boolean isCheckpointAllowedImpl();
+	private static native boolean enableCRIUSecProviderImpl();
 	private static native long getCheckpointRestoreNanoTimeDeltaImpl();
 	private static native long getLastRestoreTimeImpl();
+	private static native boolean isCRIUSupportEnabledImpl();
+	private static native boolean isCheckpointAllowedImpl();
 
 	/**
 	 * Retrieve the elapsed time between Checkpoint and Restore.
@@ -70,6 +68,20 @@ public synchronized static boolean isCRIUSupportEnabled() {
 		return criuSupportEnabled;
 	}
 
+	/**
+	 * Checks if CRIU Security provider is enabled
+	 * when CRIU support is enabled.
+	 *
+	 * @return true if enabled, otherwise false
+	 */
+	public static boolean enableCRIUSecProvider() {
+		boolean isCRIUSecProviderEnabled = false;
+		if (criuSupportEnabled) {
+			isCRIUSecProviderEnabled = enableCRIUSecProviderImpl();
+		}
+		return isCRIUSecProviderEnabled;
+	}
+
 	/**
 	 * Queries if CRIU Checkpoint is allowed.
 	 * isCRIUSupportEnabled() is invoked first to check if CRIU support is enabled,

jcl/src/openj9.criu/share/classes/org/eclipse/openj9/criu/CRIUSupport.java

@@ -203,6 +203,17 @@ public static boolean isCRIUSupportEnabled() {
 		return (nativeLoaded && InternalCRIUSupport.isCRIUSupportEnabled());
 	}
 
+	/**
+	 * Checks if the CRIUSecProvider is enabled when CRIU
+	 * checkpoints are allowed (checks whether -XX:-CRIUSecProvider
+	 * has been specified).
+	 *
+	 * @return true if CRIUSecProvider is enabled, otherwise false
+	 */
+	public static boolean enableCRIUSecProvider() {
+		return InternalCRIUSupport.enableCRIUSecProvider();
+	}
+
 	/**
 	 * Queries if CRIU Checkpoint is allowed. With -XX:+CRIURestoreNonPortableMode enabled
 	 * (default policy) only a single checkpoint is allowed.

runtime/jcl/common/criu.cpp

@@ -71,5 +71,18 @@ Java_openj9_internal_criu_InternalCRIUSupport_isCRIUSupportEnabledImpl(JNIEnv *e
 
 	return res;
 }
+
+jboolean JNICALL
+Java_openj9_internal_criu_InternalCRIUSupport_enableCRIUSecProviderImpl(JNIEnv *env, jclass unused)
+{
+	J9VMThread *currentThread = (J9VMThread *)env;
+	jboolean res = JNI_FALSE;
+
+	if (currentThread->javaVM->internalVMFunctions->enableCRIUSecProvider(currentThread)) {
+		res = JNI_TRUE;
+	}
+
+	return res;
+}
 #endif /* defined(J9VM_OPT_CRIU_SUPPORT) */
 }

runtime/jcl/exports.cmake

@@ -670,6 +670,7 @@ endif()
 # J9VM_OPT_CRIU_SUPPORT
 if(J9VM_OPT_CRIU_SUPPORT)
 	omr_add_exports(jclse
+		Java_openj9_internal_criu_InternalCRIUSupport_enableCRIUSecProviderImpl
 		Java_openj9_internal_criu_InternalCRIUSupport_getCheckpointRestoreNanoTimeDeltaImpl
 		Java_openj9_internal_criu_InternalCRIUSupport_getLastRestoreTimeImpl
 		Java_openj9_internal_criu_InternalCRIUSupport_isCheckpointAllowedImpl

runtime/jcl/uma/criu_exports.xml

@@ -20,6 +20,7 @@ OpenJDK Assembly Exception [2].
 SPDX-License-Identifier: EPL-2.0 OR Apache-2.0 OR GPL-2.0-only WITH Classpath-exception-2.0 OR GPL-2.0-only WITH OpenJDK-assembly-exception-1.0
 -->
 <exports group="criu">
+	<export name="Java_openj9_internal_criu_InternalCRIUSupport_enableCRIUSecProviderImpl" />
 	<export name="Java_openj9_internal_criu_InternalCRIUSupport_getCheckpointRestoreNanoTimeDeltaImpl" />
 	<export name="Java_openj9_internal_criu_InternalCRIUSupport_getLastRestoreTimeImpl" />
 	<export name="Java_openj9_internal_criu_InternalCRIUSupport_isCheckpointAllowedImpl" />

runtime/oti/j9nonbuilder.h

@@ -4205,6 +4205,7 @@ typedef struct J9DelayedLockingOpertionsRecord {
 #define J9VM_CRIU_IS_JDWP_ENABLED 0x8
 #define J9VM_CRIU_IS_THROW_ON_DELAYED_CHECKPOINT_ENABLED 0x10
 #define J9VM_CRIU_IS_PORTABLE_JVM_RESTORE_MODE 0x20
+#define J9VM_CRIU_ENABLE_CRIU_SEC_PROVIDER 0x40
 
 typedef struct J9CRIUCheckpointState {
 	U_32 flags;
@@ -5025,6 +5026,7 @@ typedef struct J9InternalVMFunctions {
 	BOOLEAN (*jvmRestoreHooks)(struct J9VMThread *currentThread);
 	BOOLEAN (*isCRIUSupportEnabled)(struct J9VMThread *currentThread);
 	BOOLEAN (*isCRIUSupportEnabled_VM)(struct J9JavaVM *vm);
+	BOOLEAN (*enableCRIUSecProvider)(struct J9VMThread *currentThread);
 	BOOLEAN (*isCheckpointAllowed)(struct J9VMThread *currentThread);
 	BOOLEAN (*isNonPortableRestoreMode)(struct J9VMThread *currentThread);
 	BOOLEAN (*isJVMInPortableRestoreMode)(struct J9VMThread *currentThread);

runtime/oti/jclprots.h

@@ -1292,6 +1292,9 @@ Java_jdk_internal_misc_ScopedMemoryAccess_closeScope0(JNIEnv *env, jobject insta
 
 #if defined(J9VM_OPT_CRIU_SUPPORT)
 /* criu.cpp */
+jboolean JNICALL
+Java_openj9_internal_criu_InternalCRIUSupport_enableCRIUSecProviderImpl(JNIEnv *env, jclass unused);
+
 jlong JNICALL
 Java_openj9_internal_criu_InternalCRIUSupport_getCheckpointRestoreNanoTimeDeltaImpl(JNIEnv *env, jclass unused);
 

runtime/oti/jvminit.h

@@ -424,6 +424,8 @@ enum INIT_STAGE {
 #if defined(J9VM_OPT_CRIU_SUPPORT)
 #define VMOPT_XXENABLECRIU "-XX:+EnableCRIUSupport"
 #define VMOPT_XXDISABLECRIU "-XX:-EnableCRIUSupport"
+#define VMOPT_XXENABLECRIUSECPROVIDER "-XX:+CRIUSecProvider"
+#define VMOPT_XXDISABLECRIUSECPROVIDER "-XX:-CRIUSecProvider"
 #define VMOPT_XXENABLECRIUNONPORTABLEMODE "-XX:+CRIURestoreNonPortableMode"
 #define VMOPT_XXDISABLECRIUNONPORTABLEMODE "-XX:-CRIURestoreNonPortableMode"
 #define VMOPT_XXENABLEJVMRESTOREPORTABLEMODE "-XX:+JVMPortableRestoreMode"

runtime/oti/vm_api.h

@@ -517,6 +517,17 @@ isCRIUSupportEnabled(J9VMThread *currentThread);
 BOOLEAN
 isCRIUSupportEnabled_VM(J9JavaVM *vm);
 
+/**
+ * @brief Checks if the CRIU security provider is enabled when CRIU
+ * checkpoints are allowed. By default it is enabled, it can be disabled with
+ * -XX:-CRIUSecProvider.
+ *
+ * @param currentThread vmthread token
+ * @return TRUE if enabled, FALSE otherwise
+ */
+BOOLEAN
+enableCRIUSecProvider(J9VMThread *currentThread);
+
 /**
  * @brief Queries if checkpointing is permitted. Note, when
  * -XX:+CRIURestoreNonPortableMode option is specified checkpointing

runtime/vm/CRIUHelpers.cpp

@@ -128,6 +128,18 @@ isCheckpointAllowed(J9VMThread *currentThread)
 	return result;
 }
 
+BOOLEAN
+enableCRIUSecProvider(J9VMThread *currentThread)
+{
+	BOOLEAN result = FALSE;
+
+	if (isCRIUSupportEnabled(currentThread)) {
+		result = J9_ARE_ANY_BITS_SET(currentThread->javaVM->checkpointState.flags, J9VM_CRIU_ENABLE_CRIU_SEC_PROVIDER);
+	}
+
+	return result;
+}
+
 BOOLEAN
 isNonPortableRestoreMode(J9VMThread *currentThread)
 {

runtime/vm/intfunc.c

@@ -409,6 +409,7 @@ J9InternalVMFunctions J9InternalFunctions = {
 	jvmRestoreHooks,
 	isCRIUSupportEnabled,
 	isCRIUSupportEnabled_VM,
+	enableCRIUSecProvider,
 	isCheckpointAllowed,
 	isNonPortableRestoreMode,
 	isJVMInPortableRestoreMode,

runtime/vm/jvminit.c

@@ -3885,6 +3885,16 @@ processVMArgsFromFirstToLast(J9JavaVM * vm)
 		}
 	}
 
+	{
+		IDATA enableCRIUSecProvider = FIND_AND_CONSUME_VMARG(EXACT_MATCH, VMOPT_XXENABLECRIUSECPROVIDER, NULL);
+		IDATA disableCRIUSecProvider = FIND_AND_CONSUME_VMARG(EXACT_MATCH, VMOPT_XXDISABLECRIUSECPROVIDER, NULL);
+		if (enableCRIUSecProvider >= disableCRIUSecProvider) {
+			if (J9_ARE_ANY_BITS_SET(vm->checkpointState.flags, J9VM_CRIU_IS_CHECKPOINT_ENABLED)) {
+				vm->checkpointState.flags |= J9VM_CRIU_ENABLE_CRIU_SEC_PROVIDER;
+			}
+		}
+	}
+
 	{
 		IDATA enableCRIUNonPortableMode = FIND_AND_CONSUME_VMARG(EXACT_MATCH, VMOPT_XXENABLECRIUNONPORTABLEMODE, NULL);
 		IDATA disableCRIUNonPortableMode = FIND_AND_CONSUME_VMARG(EXACT_MATCH, VMOPT_XXDISABLECRIUNONPORTABLEMODE, NULL);